It is finally here! The Season 3 finale, Episode 30, features global thought leader in digital identity, Sarah Clark.
In this episode, Sarah shares her thoughts on the evolving digital identity landscape, the growing market for reusable identity, and mentions several interesting companies she is following in the identity space.
We also dive into her formative years in technology, her journey to digital identity, and how her most recent role as Senior Vice President - Digital Identity at Mastercard influenced her outlook on the major opportunities for global identity.
Sarah and I previously worked together at two companies (including Mitek Systems) and reminisce about our experiences in the early days of identity verification.
RESOURCES:
Connecting with Sarah Clark
Sarah Clark’s LinkedIn: https://www.linkedin.com/in/sarahmclark/
Companies & Resources Discussed
Mitek Systems is a digital access provider, founded to bridge the physical and digital worlds. Mitek’s identity verification technologies and global platform make digital access faster and more secure than ever, providing companies new levels of control, deployment ease and operation, while protecting the entire customer journey.
IDEMIA provides identity-related security services, and sells facial recognition and other biometric identification products and software to private companies and governments.
Mastercard is a global technology company in the payments industry. Our mission is to connect and power an inclusive, digital economy that benefits everyone, everywhere by making transactions safe, simple, smart and accessible. The ID Network is a component of Mastercard’s Digital Identity Services.
Disciplined Entrepreneurship was published in 2013. It was updated in April 2024. The author Bill Aulet is a longtime successful entrepreneur, Bill is the Managing Director of the Martin Trust Center for MIT Entrepreneurship and Professor of Practice at the MIT Sloan School of Management.
Prove is a phone-centric identity verification provider. It’s tokenization and passive cryptographic authentication solutions reduce friction, enhance security and privacy across all digital channels, and accelerate revenues while reducing operating expenses and fraud losses.
SpruceID specializes in the implementation and lifecycle management of mobile driver's licenses (mDL), conforming to international privacy standards that can help governments bolster the administration of their public services, reduce fraud, and protect users.
MATTR is a global leader in digital trust, providing standards-based digital infrastructure that empowers businesses and governments to fortify trust.
Service New South Wales (Service NSW) is a NSW Government executive agency that joined the Department of Customer Service on 1 July 2019. It delivers world-class one-stop-shop services for customers, businesses and partner agencies.
Dentity is a universal trust system for online activity. It allows individuals to create and share a verified identity profile, and request verified information from others.
Ethereum Name Service is the decentralized naming protocol that is built on the Ethereum blockchain. It adheres to open-source standards and is based on a set of decentralized smart contracts that translate blockchain addresses into human-readable names.
FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation.
Impact AI is a an AI product lifecycle platform.
Anonybit is a patent-pending decentralized biometric identity platform that prevents data breaches and account takeover fraud.
Information related to regional and country-specific decentralized identity frameworks referenced in this episode:
FULL EPISODE TRANSCRIPT
Steve Craig: Welcome to the PEAK IDV EXECUTIVE SERIES video podcast, where I speak with executives, leaders. founders and change makers in the digital identity space. I'm your host, Steve Craig, Founder and Chief Enablement Officer for PEAK IDV. For our audience, this is a video for a series. So if you're enjoying the audio version, please check out the video recording on executive series.peakidv.com, where you can watch this full episode, read the transcript and access any of the resources or links from today's conversation. This is a very special episode. It is number 30, the season three finale. And I have the distinct privilege of speaking with an identity industry changemaker that I've known and admired for over 11 years.
In this episode, I'm delighted to feature Sarah Clark, global thought leader and expert in digital identity, biometrics, fraud, AI, and Web3 technology. Sarah has over 25 years of experience in product as a business leader focused on leading edge and innovative technologies. For the past decade, she's dedicated her career to advancing trust and identity in digital ecosystems.
She led Mitek's global verification business as the company's first identity unit general manager and was SVP and GM of digital identity for IDEMIA. For the past four years, she led transformation of the global identity ecosystem at Mastercard, where she built a globally interoperable decentralized reusable ID network.
Welcome, Sarah. Thank you for making the time to be on the podcast.
Sarah Clark: Thank you for having me, Steve.
Steve: Let's jump right in. You recently shared a post on LinkedIn. The Mastercard made the tough decision to stop investing in its decentralized identity vision and that you're no longer with the company. As you enter this period of transition, reflection, where are you focusing your time?
Sarah: Well, so let me give a little bit of context and then I'll answer your question. So first I want to say, you know, thank you to my incredible team at Mastercard. I was hired there just about four years ago, a little bit more at this point. As you said, to lead the development and go-to-market for ID Network. You managed to say all the words very well. It's kind of a lot to say a globally interoperable privacy preserving decentralized digital ID network. And this was certainly a big vision. And it was such a pleasure being at Mastercard and especially a pleasure working with the team.
Unfortunately, it did come as a shock to all of us to be given the news last year, that Mastercard decided to no longer invest in this vision. We were pumped up and to this day, I still believe it is the right vision. We were a bit before our time. And of course, at a company like Mastercard, there's a lot of priorities, a lot of business units, et cetera.
So we were pretty shocked at that decision. Oviously it was disappointing to all of us that we're pouring our hearts and soul into making that a reality. We were making progress. So, you know, emotionally, it wasn't the easiest news I've ever received in my life, to put it mildly. After that, we went through kind of another high where we were given the opportunity to divest the business.
And, you know, obviously I can't disclose a lot of the details, but long story short, we thought we were going to do that. We had a core group of amazing people that we thought were going to exit as a startup, still focused on continuing our work with ID Network, and that fell through. So, it has been a year of highs, lows, highs, lows for me and kind of for that reason, I've sort of stepped away for the last couple of months, been doing a lot of decompressing, being a football mom, you know, spending quality time with the family, working on home projects, that type of thing.
That said, you know, I feel decompressed now. So for the past few weeks I've been getting my head back into the game. At first, I kind of thought, well, you know, I was working on what I still see as one of the bleeding edge visions in identity. You know, where could I possibly go from here? Maybe I'll look at switching industries.
And, you know, I've really done some soul searching, and what I've realized is, I love digital identity. And I am passionate about where identity is going specifically when it comes to decentralized identity. I think it's the right vision. I have a very unique set of learnings that I've developed doing this for the past four years at Mastercard.
And I want to keep contributing my knowledge to the industry. So, you know, I'm sort of exploring right now in terms of what my next steps might be. But I am looking forward to continuing to be part of this industry and specifically part of the decentralized identity aspect of it.
Steve: Those business decisions are never easy, but when it aligns with summer, at least you could spend more time with your family and, you know, be a football mom.
Thank you for sharing that background, Sarah. In your post as well, you express so much optimism about the industry and where it's headed. And you've been on the front road. There's so much change and just tremendous progress and identity verification and digital identity. But there's still a lot that I feel, and I think you alluded to this in your post, that is unsolved. What do you think are some of the biggest challenges that still exist today in summer of 2024?
Sarah: Well, I think the biggest challenges broadly are the same ones that we've been talking about for, you know, Steve, you and I for 10 years now, since we worked together at Mitek. User experiences, fraud, data breaches, sort of that whole, you know, set of challenges. I mean, maybe the one that's emerged a bit more recently, although it's not really a recent challenge, but it's come to the forefront has to do with data privacy. I think as a broad industry, we're still working on, you know, the same challenges that we have been. To me, the big difference is that the standards, with respect to decentralized identity, the momentum with respect to just the tsunami of innovation. And the government investment and some of the projects that are going on globally by governments, just continue to accelerate those tailwinds.
We still need to solve for making it easier for people to get through identity verification. There's a lot of innovation on sort of the signals side of things, the risk score side of things, to make it seamless. I do believe in probabilistic signals. At Mastercardwe were using them as a part of onboarding someone to a reusable digital identity.
That said, I do still think that the best solution is a more deterministic digital identity, hopefully surrounded by verifiable credentials that can be very easily shared. And that are bound to a biometric that include liveness, all that stuff. So making it really easy to get to the best solution to stop the cycle of data breaches fueling identity fraud, which is still, you know, rising. I saw a recent FinCEN report and just within financial services, 200 billion of identity related fraud. It's just crazy. And to me, that's the way out of this. And the solution really is decentralized identity made super easy for everyday people to utilize.
Steve: Yeah, we've certainly seen tons of advances just in the last 10 years with the data privacy regulations, the input of AI systems helping to inform those decisions, and I love that you brought up the fact that you and I worked together at Mitek, because before Mastercard, before IDEMIA, you and I worked together to solve these tough problems.
But even before that, you and I had worked together and I want to go a little bit deeper into your professional background before digital identity. You and I, for the audience that may not know, we met in 2013. You'd hired me on as a product manager when we were working at this restaurant loyalty payment startup in San Diego. But I don't think I know a lot about your prior time, your professional focus. So what markets were you focused on prior to us connecting back at that startup?
Sarah: Well, I would say one of the most formative experiences I had after I was a developer for a bit of time and worked at a consulting firm back in the early days is, I moved to Seattle and I spent a bit of time at Microsoft. But when I left Microsoft, I started working at an early internet ad serving company. And it seems so crazy to think about it today because ads follow you around and they're hyper targeted and all that good stuff. But, back then it was a, you know, uphill battle to convince advertisers to try something out called targeted ad serving.
The reason I bring that up is that's when I got my first taste of being at a truly like startup high growth company. And you just learn so much. I learned that I love product. I learned just about wearing many hats. And I learned how to really create a blue ocean with something that, you know, was sort of unknown to the market and, you know this, where it's, you know, you have to be meeting the jobs to be done of your customers.
There's also something to be said for advocating for kind of the next big thing, right? And how do you sort of thread that needle as a product manager? So that's where I learned a lot of those skills. And I just kind of chuckle when I see ads following me around, knowing that I was on the forefront of that.
And then I ended up in San Diego, which is where you and I met at one of the early mobile ordering platforms. So-- and then of course we met again at Mitek and it's funny to think that was only 10 years ago because what we really worked on at Mitek was one of the first DocAuth capabilities in the market.
There were, you know, a couple others that we were competing with. Really, once again, we were solving for a market problem, which was digital onboarding was starting to become more important, but we were also advocating for a new way to do that. And at the time DocAuth was very new and you know, here we are 10 years later and I would say that it's almost a commoditized type of experience.
Obviously you and I had a great time in the trenches, working on that. And what I learned there is that, you know, it is extraordinarily hard to evaluate the authenticity of a physical document captured with a mobile device. It was hard then, I mean, we know kind of all the stuff we went through trying to make that happen. And that's what led me to pursue going to IDEMIA.
So, you know, at Mitek, we tried to solve for that by reading an enhanced security feature that maybe people aren't aware is printed on effectively every US driver's license. You know, we never got that to work. I think the vision was good, but the actual execution, it just couldn't quite be done.
So I wanted to learn more about government platforms and IDEMIA has a big footprint in that space. So spent some time there and then that led me to come to Mastercard four years ago.
Steve: Wow. That's an amazing journey. And I remember that early time working at Mitek and you'd brought me over from this restaurant tech company where we were doing mobile stuff, but it was loyalty, ordering rewards, things like that. And you're like, “hey, this company, Mitek,” which was focused really heavily on mobile check deposit at the time, was innovating in digital identity. And there were just a handful of companies that were attempting to do the document verification. And I recall when you were interviewing me or recruiting me, I don't know what-- which of the other was happening at the time, but you expressed this really important part of building the product around user experience because you had seen these other services. They weren't great user experiences. Curious, where did that UX focus come from for you? And I had a passion for it too, which I think is how we clicked on product stuff. But where did that come from for you?
Sarah: I mean, I don't know, kind of necessity, I guess you could say. It's just one of those things that you learn from, I would say following good product practices.
So, as you know, I am a huge aficionado of agile tenants. And I do feel that agile is one of those kind of extremely overused terms at this point in time, where it can mean almost nothing. Let me just back up. So one of the things that's beautiful to me about agile is how it can support innovation. And one of the mechanisms that it does that is a product owner should never speak in terms of features to the product development team. They should speak in terms of jobs to be done or value that you're trying to bring to market and allow the team to innovate. But the way that all comes together is you need to have what you're going to measure as your acceptance test to say that this was done.
So, you know, supporting growth for your customers is the best way that I've found to build an early stage company because growth sells. Everybody's looking for growth. So when you're measuring for growth, that necessitates, kind of, under that needing to measure for a great user experience. So I think it's just using the tenets of agile, the tenets of good product management.
And how you weave that all together leads you to focusing on user experience. And I do distinctly remember when we were at Mitek, we had users go into-- or individuals, I don't really like the word user-- go into a lab, do you remember this? And we watched them use the product and, you know, it's like, you always need to remember that something that you find easy, not going to be what somebody else finds easy.
And you can measure this through metrics, but watching, the individuals using your product, I mean, we were shocked. We're like-- we were like, “what are you doing?” But it was like such a great learning experience. You know, that's the type of thing that you always need to keep in mind and just have that discipline to do. Because if you can take something and make it simple for people, you can create growth and you can release a product that's adding real value and solving, you know, for what your customers are really looking for.
Steve: That user group research that you just mentioned was one of the funnest times that I had in a product role, because you got to see individuals reacting to the technology that you were working on.
For those that are listening, we had a one way mirror like you do in a police interrogation where you could put your engineers and they couldn't see you. And of course you let them know that there were observers, but you didn't want to taint the experiment by helping. And so watching how just different demographics of people-- those perhaps with accessibility issues or disabilities, those that didn't have the latest phone that couldn't use it. You see how they're trying to verify their identity and like, wow, this is certainly a challenge that we need to focus on. I'm glad you, you brought that up.
When I think about your career, Sarah, moving through your developer role to product, to business leadership and P&L management and managing business units, how have you leveraged UX thinking, agile, and then applied that to the world of digital identity, which sometimes it requires massive scale and technology and big companies?
Sarah: Well, yeah, I mean, it includes massive scale, but I think the core job of a business or product leader is also to never lose sight of the importance of focus. And, you know, again, we're-- I'm sort of going down memory lane a bit with you here, but I do remember at Mitek, you wrote on a sticky note, focus on focus. It was some retrospective that we had. And you know, that's spot on no matter how much scale you're going after, innovation always requires focus. And in digital identity specifically, we have the blessing and a curse in some ways, not really a curse, but and a problem that, as leaders, we need to ensure is solved for our teams, which is there are just so many use cases you can apply digital identity to.
It's really easy to get very scattered and scale comes from your customers loving and finding value from your product. And the only way that that happens is if you really understand and focus on their needs. And even something as horizontal as digital identity, there are unique needs, depending on the vertical, the region, you know, different dimensions within your business.
So it's always very important to focus. So through my journey, I have learned that Bill Aulet is somebody who I would consider to be one of my mentors actually back when I was GM of Mitek. And, you know, he was always on me about focusing. I'd be like, “you know, we're focused on five verticals. You know, why you haven't proven product market fit and published your quantified value findings for vertical one yet, you know, do that first.” And I've learned that scale comes from intense focus. And that's something that I try to, you know, be sure I never lose sight of as a leader. And I will just plug, the book Disciplined Entrepreneurship. I continue to use that book to this day.
Even though Mastercard is an example is, you know, far from being a startup. I mean, I guess you could argue that my team was a startup within Mastercard, but we begun to use that process. It's just, scale comes from focus. I think it's the way that I would answer your question.
Steve: Great. Great. I remember writing that sticky note and I remember why we were trying to rationalize this acquisition and multiple product paths and the realization came to me that, “hey, we can do anything, but we can't do everything.” So if we could start to focus on focus, perhaps we'll start to chip away at it.
One of the things I've personally seen, not just within the time that Mitek other companies that worked at different companies that are practitioners or users of these technologies, is it's really important that you find that deep user need or customer need. You find that, that pain versus that nice to have. What's your perspective as a business leader, how you avoid falling into that trap or, “hey, this is a great technology. They would love to have this” versus do you really solve that, that customer problem?
Sarah: Yeah, so, you know, as I mentioned, I do think there's a needle that needs to be thread between advocating for, kind of, you know, the horizon three solution and being responsive to your customer's needs. That said, something that I do see a lot is when folks go into a customer meeting, doing more talking than doing listening. Just listening to your customers and having a sound process for primary market research is very important and having that skill where you are distilling into the job to be done again. That's another methodology that I'm a big believer in.
You know, I think it happens everywhere to everyone that customers will say, “well, I want this feature,” you know, “why, why, why” until you kind of get to the underlying, you know, problem that they're trying to solve is just so incredibly important. And like I said, that should come into the team to use.
And, you know, I see this transition right now kind of happening in the decentralized space, which makes me very happy. I think for a while we had folks that were really deep in what I guess used to be called self sovereign identity. I honestly-- I don't know if there's, you know, if anybody considers there to be a difference between self sovereign identity and decentralized identity. To me, it's kind of a, the same thing, but it was more commonly called self sovereign identity in the past.
And I feel like a lot of folks were talking about the technology, the solution, the standards, and those are all very, very important, but customers don't care, right? I personally feel like we're seeing a shift and the language being used by the folks that are innovating in this space. Now that the standards are ratified and there's sort of more momentum away from that and talking about the value. And you know, that's something that makes me very, very happy.
Steve: Putting you on the spot a little bit, as you were talking through the companies that might be a little bit more technology or standards focused and perhaps not exploring customer need, maybe talking too much in a meeting, are there any companies that you've come across that are just killing it on the product research and just really unpacking and solving deep customer problems? Anyone in digital identity or it could be any company you've come across in the last few years?
Sarah: Oh, well, I mean, that's an interesting question regarding any company I've come across. That's kind of a big question. I'm not sure if I have a great answer to that off the top of my head. So, you know, it's difficult from the outside looking in to really understand who is, you know, doing deep customer research. But, you know, I can say from my experience in the seat of having been a customer to other companies in the identity space at Mastercard, maybe a couple of names that I think, you know, we're doing a good job.
So, just for a bit of context, our ID Network heavily relied on, you know, different partnerships. We weren't looking to solve for the whole, you know, ecosystem that's needed to drive forward decentralized reusable IDs. We were focused on the network. And when I guess-- that means in a little bit more detail is the governance layer that's needed to really tie the whole, you know, issuer, verifier, individual relationship together so that it could be commercially viable. So liability and what happens if something goes wrong and how do you know if an issuer is valid and that type of thing. So, we used a variety of vendors and partners to make that vision a reality. I do think the one company that comes to mind that I think has unique and powerful product is Prove.
So they satisfy a requirement to be evidence in your hand that meets IAL2, according to NIST and others, other frameworks globally. And it had just a really easy user experience. When we said, “hey, we have a customer that has a lot of underbanked individuals are trying to onboard, we need an adjustment to better work for them.” You know, they were on it. So I thought that was a great example of unique product in a saturated space and just being really responsive to our needs. So I'll go ahead and give a shout out to the Prove team.
Beyond that, you know, I've been really following, you know, who's doing what when it comes to decentralized ID. And I think there's a series of companies that are doing really good work, being responsive to both government needs, as well as incorporating the standards that will be necessary to scale government issued IDs.
I really like the work that SpruceID is doing with the California DMV and the mDLs that we have beginning to be issued in the state. I really like their work pairing the mDL ISO specification to verifiable credentials are kind of what I understand them to be doing. And as a California mDL holder, you know, I'm glad to see that happening.
I think it's really important that these high assurance government issued IDs make it to market. I think MATTR from what I can tell has been doing great work. That's great for the citizens of South Wales and Australia through their work with Service New South Wales. And, you know, they have a variety of verifiable credentials, so you can do all sorts of stuff through that app. So I think that's great.
And, you know, I'll also give a shout out to Dentity for, their partnership with the Ethereum Name Service. I know we'll probably talk a bit more about Web3, but I think that seeing partnerships between decentralized digital ID and, you know, something like Ethereum Name Service joining the two. I find that to be very powerful.
Steve: Well, we're at about the midway point, Sarah, on this, and we've covered your background and how we know each other and a lot on different topics. Let's get deep now into digital identity. You mentioned earlier that the topic of self sovereign identity often is referred to maybe as reusable identity or decentralized identity.
I've seen it called portable identity and then you just referenced mDLs. One of the problems I've seen in the space around these user centered models, so there's this cold start problem. How do you get enough of a critical mass of users using these, whether it's a wallet or a decentralized ID to be able to assert it in different places.
And until we have that, we have these centralized repositories, these big honeypots of data that are being collected and individual verifications. What are your thoughts on how the industry could innovate out of that model and truly get to that vision of that user centric model.
Sarah: Yeah. I mean, that is the key problem and I'm not sure that it's, you know, a solved problem. I think the reality is it will start sort of in kind of smaller pockets and, you know, this kind of dovetails into what we were looking to do through our work at ID Network, which would have been to kind of stitch some of this together. Because, you know, the reality is that at the end of the day, individuals need, you know, very similar, right, to the Mastercard logo on your credit card.
You need a way to know that you can use, you know, your decentralized digital ID or some set of verifiable credentials on a specific site. I think we were a bit ahead of the market with that vision, which, you know, it is what it is type thing. But, you know, I do think that the cold start problem, you know, again, going back to focus, will likely start as pockets of value that eventually gets stitched together.
Now that said, this is obviously something that we spent a considerable amount of time at Mastercard working on. And I guess I have a few observations for where some of those early scaling opportunities could be. One is, you know, we think about, you know, an individual using their reusable ID across like a lot of different areas of their life.
And that's the vision we all want to get to. But even within a single organization or a, you know, organization that may have affiliates or related organizations, there's a tremendous problem with data silos, with the need to have consistency of user experience and security just across multiple channels.
And I think that that's a really interesting starting point for others in the space. One of our largest projects where, you know, within around a year, we had onboarded 1.5 million people. Was working with a wireless carrier that needed to be able to interact with their own customers across the different channels in their business in a way that they were absolutely sure that it was that person and could make it super easy.
And going back to the theme of data privacy, data is becoming a liability to hold with data breaches, with data privacy regulations, with fines for different things and just reputational risk. So they didn't want to hold a bunch of PII anymore, but they needed it to be reliable and simple. So we helped them make sure that they could interact with their customers across mobile, online, chat, call center, and in person all using their digital ID. And from there we were building a user journey out for those individuals.
Another recent example, that, you know, I was speaking to someone and, you know, they're pursuing this strategy is with affiliate companies. So sometimes one organization owns other companies and they may, you know, say for their employees, want to offer discounts at these other companies. You could easily do that by enabling your employees with verifiable credentials, which they could then go provide to a bank or an insurance company that may either be owned or affiliated with the employer. So, just starting to think about those cross-channel, cross-company use cases where there's data silos that make things too hard for real people. Those tend to be a very good starting point.
You know, the entertainment experience is another one that we were working on. Ticket sale, venue entry, restricted purchases. You just make that easy, people will use it because they're getting value. And then you go out from there.
So those are some of the opportunities that I've seen that really helped with the cold start problem and getting individuals onboarded into a reusable ID that they would then, you know, use immediately for frequency of use purposes. And then you keep going from that starting point.
Steve: You make a really good point about interoperability just within one enterprise. I think we've all experienced having to verify multiple times in different business units for a bank, like, “well, you know, me, I'm a checking customer. Why am I doing an IDV for a mortgage loan?” And why are those pieces not connected?
And then as sporting events, even within ecosystems like the NBA or the NFL, like different team, like they should roll those up for this fascinating to be able to think about it in that way and then expand that out.
One of the other challenges beyond the cold start problem that I've personally seen working within solution providers is this business model issue. Because today, a lot of the IDV oriented piece is transactional. The companies that provide this service, they make money for each transaction. And then you introduce this concept of, “well, now there'll be portable and reusable and you'll verify once, and then you won't have to do it again.” And that, that sounds great. It's efficient for the market, but then those companies think, “well, am I going to cannibalize my service now? And how I should think about that.” What kind of models have you personally explored when thinking about how to keep all of the parties incentivized to be able to move in this direction. Is there anything maybe in the network model that has worked or experimented with?
Sarah: The model that, you know, I think is the right one is the company that needs to perform the verification. They would normally be, you know, paying for that in some fashion or they need to be, right? Because right now they're experiencing fraud or inefficiency.
And again, I guess one of the challenges, one of the blessings, but yeah, challenges that we have in this industry is we have a value prop that spans, you know, multiple kind of dimensions for a business. So generally they need to be doing a verification and it's something that if they're not paying for today, they need to.
So the verifier, otherwise known, as the relying party, would pay for that check. You know, a lot of times this can make them a lot more efficient in clicking, you know, spurring growth, yes, but also very significant efficiency gains, especially when we get into the world that I think we all want, which is you could have multiple verifiable credentials.
They pay for, you know, the check, which may just be a digital ID. It could be a digital ID, a background check, proof of insurance. I mean, imagine the gig economy and how the question of onboarding a new employee into a gig economy company could just be made so much easier if somebody came with multiple verifiable credentials.
So, anyway, they pay for the check. And then what I think is really important is that everyone in the ecosystem has an incentive, the relying party, their incentive is they need these checks. It should be something that they will pay for. The issuer, we need them to participate, right? So they receive a revenue share from the price that's paid for the relying party for the check. And then the individual, you know, does not pay. I've seen some models where maybe they're having the individual pay. I don't know if that's the model that will lead to scale. So I think monetization belongs with the relying party.
You know, that said, there are sub-models within that, right? Where maybe there's a price per verification or per the, you know, transmission of the verifiable credential, hopefully through a zero knowledge proof, or maybe some attributes that the individual approves. Or maybe there's something where it's like a per individual per year, if that individual will be using their decentralized ID for ongoing authentication.
And kind of going back to your earlier question where you asked me. What some of the problems still are to be solved, I think I mentioned, if not, I should have, there's still this rift between verification, identity verification, and ongoing authentication. And a simple way to solve for that when you're in a world of decentralized ID is you can just use that for ongoing authentication as well.
So what we were working on was looking at a per individual per year cost to the relying party that could include, you know, a verification and then the ongoing use for, you know, whether they be high value transactions or just logging in, there still tends to be that gap. And I'm a big believer in FIDO. I think it definitely has a role in the overall approach. But it's really important that the biometric is bound to the digital ID and used contiguously from that initial identity verification through to ongoing authentication. In my view, that's the best possible. approach for the highest level of security.
Steve: Yeah, I've had a few guests on this program that have brought up that concept. Some call it the circle of identity or identity continuity to connect that identity proofing step or identity verification to how do you know it's still that person. And then that creates an entirely different business model where it's not that one time and you never see them again, right?
On the business model side, Sarah, that there are a lot of experts in the field, those I've spoken with and content I've read, that feel like big tech, Apple, Google, Microsoft, Meta, maybe Amazon, they're going to be the ones that will own identity. They have different business models to support their main ecosystem. And so this becomes a feature they add. What's your take on companies like that being the thing that ushers in decentralized identity?
Sarah: So, I would say Meta for me does-- doesn't have a clear role. I don't think that there's a good synergy with their, you know, business today. But like the Apples, the Googles, the Samsungs of the world, you know, they're wallets, I think very well could have a meaningful role and already do. You know, we'll kind of see how that shakes out, I guess. One thing that I really like that, I think was just announced last week, is Apple opening up their operating system so that businesses and governments can use the secure element as well as NFC capabilities.
And I think some of that maybe was pressure from the EU, but it's also probably something they've strategically been looking at for quite some time. And I think that that's really great because that allows governments to also utilize those capabilities for their own wallets, governments or private companies for their own wallets.
And I think that kind of competition is good. And I would see the Apple wallet also being a part of that future decentralized identity approach. I mean, we already see that kind of going back to the California mobile driver's license. California has an app and that continues to evolve and it appears to be in route to adopting the right standards.
But those IDs can also be put into the Apple wallet. I think that once you get into, you know, different credentials outside of those directly issued by governments, you start to potentially run into an issue with, you know, how do those end up in the Apple wallet so that there is governance that exists within the sharing framework.
But again, with payments, you know, and this, I guess, dovetails back to the ID Network vision with payments, you can have a Mastercard in your Apple wallet and you know that you can use that in the Mastercard network. So, I don't see that as being really any different for digital identity at this point in time.
And in fact, we were working on with-- we were working with one of the providers on just that, credentials in their wallet interoperating with the ID Network where you know the issuer was a known and approved by the network to be shared to any relying party on the network. And there was governance that happened so if something went wrong and liability and all of that was handled. I don't think that's a role for Apple or Google, who are creating, you know, platforms for mobile customers. So, you know, I see all these puzzle pieces kind of coming together. And, certainly the OEM wallets seem to have a role, but I think competition is also really good.
We see a lot of independent wallets entering the market and we haven't really talked about eIDAS 2. I think that's just an amazing, you know, development that's happening. I think there's some potential issues with the, what do they call them, like the provisions that have been put forth. Overall that's opening up a whole world of, you know, pilots around how did these pieces all come together?
So, I don't know. I don't think anybody really knows definitively, but that's my take.
Steve: It's a lot of speculation and there's a lot of analysis around it. I'm glad you brought up the european regulation. Where do you see regulators globally really propelling this forward? Because it's so fragmented. Like the US has, you know, one strategy, which is like no strategy, give it to the state. And then you've got the european approach and you've got an approach in Canada and Australia. Is this like a forcing function or is it too much regulation as they start to assert these standards?
Sarah: I think it is a bit of a forcing function. I mean, GDPR was also a bit of a forcing function, you know? So I do see what the EU is doing as being on the leading edge of pushing forward a new paradigm of decentralized identity. So I certainly embrace that and I'm eagerly awaiting, you know, some more information on some of the results of the pilots.
I haven't seen any yet. You know, certainly eIDAS 2 is a very exciting development, but beyond that, yeah, I guess we have really a potpouri of either legislation and regulation, or just initiatives being done by governments. So, Australia is a place where they sort of have both, right? There's a recent initiative between the states and the federal government to ensure that mDLs issued at the state level can interoperate-- I should be able to say that word by now-- and that they can also exist in the federal level wallet is my understanding. At least of what's happening there. They had something called TDIF, which has now been renamed, and I can never remember the new name, so I apologize for that. But, where they've defined a trust framework and roles within the framework, and they have an accreditation process. Same type of thing is happening, in the UK, albeit a bit slower, in my understanding.
So those are examples of some markets that are leading with some legislation and regulation. They also have digital driver's licenses being issued in Australia. So Australia is like a really interesting market for your listeners. I would encourage folks to learn about that market because it may be a glimpse into what may happen in other markets. We also see the adoption of decentralized identity happening by other governments. So Brazil, was a market that we were focused on at Mastercard. They recently announced that they are adopting a blockchain based decentralized ID starting with a couple of the states within Brazil.
You know, again, adopting verifiable credentials and all of that is what it appears to be. I would want a little bit more info before being completely confident on that, but that certainly looks promising. That's something that we've seen South Korea, you know, that's something that Indonesia is pursuing.
So that, you know, there's certainly pockets of governments pressing forward with decentralized ID, whether it be Europe, Australia, or some of these other regions that may be less regulatory in my understanding and more about government projects. To solve real problems again for their citizens, people need an easier way to communicate that they are who they claim to be or to share certain credentials they have between government, what do you call them, units, and that's not easy today. And a really clean way to solve that, both for the government and government services -- that was the word I was looking for -- as well as for individuals is to use this type of decentralized approach.
Steve: Yeah. These are amazing insights, Sarah, with your experience recently in Mastercard and all the years you've been working in the regulatory environment.
I find that the, the regulatory change, whether they be new data privacy rules, it'd be new standards, digital identity initiatives; so difficult to keep up with. And I'm for sure we could spend an hour, two hours just on that topic, kind of dissecting each one of those. I'll be sure to link to each one of those initiatives too, that you brought up. I think those are all great, especially the Australian ones for people to check out.
We're coming up on time though, we're almost at the end and I wanted to get to a couple recent developments just within your background here. So a few months ago, you joined an advisory board of a company called Impact, an AI tech startup. Wanted to learn a little bit about that because I don't have a whole lot of context around that. If you can share about how you got connected with that team and what that's all about.
Sarah: Well, a friend of mine is actually the CEO of that company. And, you know, I guess a little bit of a plug for anybody that's interested in the opportunity around utilizing AI for efficiencies in their own business.
He also is the CEO of a company called Mind Studio, and they have incredible tools for that. So he's really deep in the generative AI space. And, you know, sort of hit me up to see if I would be interested in joining his advisory board for Impact. Because, you know, I guess similar to a lot of companies in the AI space, there are data privacy issues to be considered and solved for. And that's something that he wanted to ensure that he had some, you know, knowledge of within the bench of his team. So, it's also a good way for me to get a little hands on with sort of understanding better, the power of AI to solve different problems.
The specific problem that it's looking at is misinformation. And, you know, I've learned a lot about some content of authenticity standards that I think are really powerful. I actually posted recently that LinkedIn adopted something for that. And that, I guess, sort of dovetails into deep fakes and all of that.
I mean, the, the power of AI can be very disruptive. There are new standards emerging and, you know they're also focused how to use generative AI to combat or dispute or explain that something is misinformation in a way that's effective with stopping it in its tracks. So some pretty big, interesting problems that I'm just personally interested in as, you know, a parent, as a politically active person. So, yeah, that was a recent development for me.
Steve: It sounds like an amazing fit. And on the topic of AI and generative media, deep fakes, these are topics that you and I've been talking about for years, even back to when we were looking at how to detect different security features or to classify. We had an amazing labs team at Mitek, but it's these last few years where it's gotten so good that the average everyday person, even you and I know these technologies. We can't distinguish real from fake. It's getting harder and harder. And on the topic of like identity and deep fakes, we talked a little bit about Meta, not likely the one that will do identity at scale, but the platforms like LinkedIn or X, they've started to roll out these verified profiles, which in a way make sure you know who this person is, but there's still these deep fake videos that flood around.
Like, what do you think is going to happen at the confluence of deep fakes, identity and in these big platforms, some of which charge for you to be verified? Curious about your take on that.
Sarah: Yeah, so deep fakes are certainly scary. I mean, just the power of AI to scale scams of all sorts, whether it be deep fakes that are more sophisticated or just more effective phishing scams, a lot of this comes back to why certain technologies within our space are so important. You know, we didn't touch on all the innovation with liveness and presence detection. I think those are the-- that's one of the areas where we've seen the most progress. I guess there's been progress across all of them, but that is so important.
Any reusable ID offering can absolutely must use the best liveness and genuine presence detection that there is. And you don't always have to use it for every single transaction necessarily. There can be some approach that balances all of that, but I'm certainly very encouraged to see those solutions get so much more mature because biometrics, including that are, you know, very key along with the cryptology that's, you know, exchanging keys to make sure the sharing of credentials is secure. I guess just kind of sticking on biometrics and I'll go back to your question, I'd also like to point out that when we're talking about problems in the space, one of the biggest problems that I've seen through my experience with reusable ID is not necessarily AI driven, although maybe it can be to generate some of these licenses, but it's the same face across multiple ID documents that happens and it's not insignificant. So I think there are maybe these farms where they're turning out these fake IDs and they can be very good quality. And by being able to detect the same face across multiple submitted ID documents, that is the way you can stop it.
Because it's almost impossible for some of these to tell if the face was swapped in, or if the ID is fake. And that's where we get into the incredibly important innovations of Anonybit and others who are doing something similar that we're not creating honeypots, but where we can solve for these very real threats that exist in the market. So I just wanted to point that out.
Steve: And on the use cases had dating apps and different forums, like sometimes anonymous is a feature. Other times you want to know what you're speaking with, like on LinkedIn, you want to know it's a real person. We could spend a ton of time on that, but we are at the end of our time for the conversation.
I've got just one or two final questions, and this is part of how I run this series. If you've seen any of the past episodes, I'd like to go a little bit beyond the profile, a little bit beyond the press releases and the other media that you've done. And share more about you as a person. And since I know you-- have known you for many years, I want to share that. I know you're quite artistic and you even have a workshop where you create things. Can you share with us what you like to create, the mediums you create in and what you do with your art?
Sarah: I mean, I try-- I would say like, I'm a big proponent of creative outlets even if you think you suck. I just think that it's so important and something that sometimes can kind of be forgotten as just an outlet that is important for life. And when we just kind of look at, you know, business and tech and there's a million things to do and all this pressure. Sometimes just taking time to do something creative can-- I have like my biggest ‘aha’ moments when I'm supposedly not thinking about work.
I mean, I'm always kind of thinking about stuff, but when I'm embarking on something creative, so it's just-- it's a practice that I prioritize or I choose to prioritize in my life. So right now, I'm really into using interior design is my outlet for creativity. So I have an absolutely, you know, crazy themed, Airbnb, that was created by hand.
And I'm currently looking at a small boutique hotel, which will also adopt a crazy theme. So that's kind of become my medium, as of late. And it's just, it's a ton of fun.
Steve: I can't wait to see what you do with that boutique hotel. And I've stayed in some boutique hotels that go a little bit crazy. So I'd love to see how you apply your creative expression to it.
Well, Sarah, thank you so much for sharing. You have shared a ton. I'm sure the people who are watching this or listening to it will learn a lot from your experience over the last decade plus in identity. For those that are watching or listening, what types of conversations would be interesting to you if they reached out, how would you like engagement from the market?
Sarah: Well LinkedIn is a good way to get in touch with me. And I mean, I just like to talk about this stuff. So, and you know, if anything I said resonates with you or if you're working on cool stuff in the space, I'd love to hear from you.
Steve: Amazing. Well, I'll provide your LinkedIn profile and the resources for this episode.
Again, Sarah, thank you so much. I'm glad we could finally connect for this and to close out season three with your appearance. I look forward to seeing what you do next and I hope we can work together again soon.
Sarah: Me too. Thank you.
Share this post